Wireshark-users: Re: [Wireshark-users] Yum install centos 5.2

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 11 Oct 2009 14:38:42 -0700

On Oct 11, 2009, at 2:09 PM, Mike Brandonisio wrote:

Since I receive the MAKE error. I stopped chasing that and did the yum install again.

Good idea - it's simpler.

tshark does show what appears to be traffic.

So tshark is installed, but not wireshark?

Yup, Centos continues in the grand Red Hat tradition of "let's confuse users who want the Wireshark GUI as much as we possibly can":

	http://www.twistedethics.com/2008/08/06/install-and-run-wireshark-on-the-command-line-centos-52/

To install a wireshark GUI type:

yum install wireshark-gnome

let it install, then find wireshark in Applications->Internet of Linux.

Do remember that to install Wireshark first day you initially need to go:

yum install wireshark

So, if you want Wireshark, with the GUI, try "yum install wireshark- gnome", as per the above.

The main reason for all of this to monitor/record HELOs/EHLOs to see what is impersonating my IP address to get me listed on CBL.

tshark is giving me data like this:

5.603672 75.XX.XX.XX -> 74.xx.xx.xx TCP 51268 > 22 [ACK] Seq=1 Ack=3185 Win=65535 Len=0 TSV=246431382 TSER=315369746

What it's giving you there is an indication that 75.xx.xx.xx sent 74.xx.xx.xx an ACK of some TCP traffic that 74.xx.xx.xx sent from port 22 - the port for SSH. If you haven't specified a capture filter, you'll have to manually dig through tshark's output to find the SMTP traffic.

If you want just the SMTP traffic, you'll want to check the SMTP port - or ports, including the mail submission port, 587.